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1. I have reviewed the Report of Audit Appraisal, Human 
Resources System (HRS) of 31 March 1981, The HRS represents 
the development of a complex computer system and since its 
acceptance and activation in March of 1980, it has been used 
successfully, proving to be an accurate integrated centralized 
personnel information system responsive to Agency management 
requirements, The scope of the audit and the several findings 
are reasonable, constructive, and acceptable. 


2. Our actions and responses to the audit comments and 
recommendations are keyed to the report. 


Recommendation #1: Formally designate a data base 
manager for the HRS and give him final approval 
authority for all changes to the HRS, 


The Chief, Information Division is designated as the Data 
Base Manager of the HRS with responsibility for changes, 
interfaces, and access to the HRS. (Note: Chief, ID was not 
interviewed during the audit.) Supplementing this designation 
ts the alignment and utilization of Chief, Automated Data 
Resaurces Branch (ADRB) as the, Technical Data Base Manager, 
participating in the development and servicing of the data 
structure relevant to the software, testings, and system 
program implementation, This combination is a satisfactory 
and practical arrangement since Chief, Information Division, 
as DBM, confers and consults daily with Chief, ADRB and Chief, 
Information and Analysis Branch (TAB) for purposes of discussing . 
system applications, changes, controls, requirements, and 
resolution of problems. Chief, ID, by. this routine, is fully. 
cognizant of HRS activity with complete confidence in actions 


“ proposed and taken by C/ADRB and C/TAB. However, in furtherance 


of the audit recommendation, all requests for changes to the 
HRS (workorders) will be approved and signed by Chief, ID as 
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DBM, after impact assessment with C/ADRB. and C/IAB, as appropriate. 
In the absence of C/ID, the C/ADRB, as Technical DBM, will insure 
system continuity and IAB compatibility for HRS modifications, 
and sign workorders as needed. 


Rsconmendacien #2: Document in writing ADRB's testing 
and approval of software changes. The documentation 
should include as a minimum: the name of the individual 
‘testing the changes, the results obtained, the date of 
the test, the date of the approval, and the signature 

of the individual approving implementation of the change. 


Hard copy backup of testing information is maintained 
by ADRB and contains the documentation noted in Recommendation 
#2, but only a verbal approval to execute the change was given 
to ODP. This procedure has been changed to conform to the audit 
recommendation with ADRB giving ODP written approval for 
juphemen tiie software changes, 


Recommendation #3: Require prior written approval 
from the DBM or other designated individuals for 
changes to the Common Validation Dictionaries, 


Changes to COMVAD are controlled very closely with review 
and assessment of the requested change(s) by C/ADRB. AI11l 
requests are documented by ADRB and retained indefinitely 
(COMVAD audits are held for at least one year), Changes to 

..OMVAD will Be made only after C/ADRB or the DBM has placed 
signed approval on the documented request. 


' Recommendation #4: Request the ODP to modify the HRS 
....80@ that security violation notices reject the transaction 
at time of entry and such notices are recorded for 
‘suhsequent review and appropriate follow-up. 


ODP Production Division has been requested, by memorandum 
““-to have the system reject improper requests for data and to 
send daily listing of all security code violations issued by 
HRS=2. to ADRB for review and follow-up as appropriate, (Copy 
attached), 


. Recommendation #5; Periodically review the access 
_Tist and update as required. 


Operators on HRS data base have been reviewed; adds, 
~--ghanges, and deletes have been made to-align the data base, 
and signed user authorization lists have been sent tn each 
_..Hbranch having HRS-2 users. A quarterly review will be made to 
keep the lists current. ; 
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Recommendation #6 (For ODP): Follow established 
procedures to ensure that backup copies of HRS 
files are stored offsite in a’ timely manner. 


ODP Production Division has been requested, by 
memorandum, to conform with this recommendation. (Copy attached). 


Recommendation #7: Determine whether MINI-GAP can 
be used in lieu of manual posting of Service Record 
mn Cards. 


Although the Mini-GAP program contains data which is 
applicable to Service Record Cards (SCR/SF-7) purposes, it 
is data only from July 1975 forward. Moreover, configuration 
of the Mini-GAP file is not conducive (cost effective) to 
automated production of the SRC. Automated production of the 
SRC was planned as a component and function of the General 
Archives Program (GAP) -- a storage and retrieval system of 
history and personnel information from 1968 forward, Time 
and resource impasses necessitated the suspension of GAP 
development, However, its completion and applications, including 
elimination of manual posting of the SRC, remain objectives which 
yeprettably, at this time, are overtaken by higher priority 


commitments, .. ; 
Comment to Para 14: 


Security has been tested and installed on the race and 
handicap codes and the true name values on the production data 
_Base,. These codes/values have been protected previously but 
they are now. availahle to fewer system users. 


3, The appraisal was helpful and balanced, and I am 
appreciative of the efforts and consideration extended by the 
auditors. : 
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25X%1 MEMORANDUM FOR: Poe beens 
ief, Production Division, ODP 
25X1 FROM 2] EEaSraASD O 
1ef, Information Division, OP 


SUBJECT — : Compliance with the Audit of the Human 
Resources System 


a F 


1. The audit performed on the Human Resources Systen, 
(HRS) by the Information System Audit Division/Audit Staff, 
surfaced two areas of weakness in the overall strength of 
the HRS production environment. This memorandum will 
formalize Office of Personnel request to strengthen these 
areas: 


A. No record or notice of security violations 
is printed by the system, Improper requests 
for data from the HRS are not reported to the 
- DBM or other appropriate officials, 


REQUESTED ACTION: 


The system generates "Security Code Violation" to users 
who exceed their authority to extract or update information 
on the HRS. The security violation notices should reject 

“the transaction at the time of entry and I would like to obtain 

a listing on a daily basis of all security code violations 
issued by HRS2. The listing will be picked up the following 
morning and reviewed by OP/ADRB along with their’ review of 
the database statistics. 


B. Procedures for safeguarding the HRS data file 
have not Been followed by ODP. 


REQUESTED ACTION: 


miner anere te meee eran ee DP—Should- follow established- procedures -to -insure -that ‘. 
ba backup copies of HRS files are stored offsite in a timely manner. 
- "copies of HRS data files are created every night; a copy of 
the cutoff date tapes are stored at GC-47 in case GS-03 
>is damaged; and, monthly tapes are sent I would like 25X1 
"EO be assured that the procedures will be followed, 7-00 UU 
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2. The audit found that the HRS operates efficiently and 
is generally satisfying the needs of its users. Additionally, 
the personnel involved with the operation of the HRS were 
performing their assigned task in an effective manner. The 
service and fine performance of your Division certainly are a 
contribution to this effort and our accomplishments, Your 
assistance and support is greatly appreciated. 
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